You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My Consul cluster has Auto Encrypt turned on and is using the connect CA (Vault provider) for Consul agent certificates.
In order for other pods to talk to the local consul agent, I have to manually add an init container (like how the Consul Helm chart) does that calls get-consul-client-ca command to get the CA.
This can be simplified by having a mutating admission webhook automatically inject that init container for any pods with a set of annotations.
If polling mode is added as per #310, then the injector can also inject a sidecar.
Another workaround is to use Consul Template to populate some ConfigMaps in multiple namespaces automatically but it's not as "clean" as having an injector. (cf. https://github.com/basisai/consul-autoencrypt-k8s)
The text was updated successfully, but these errors were encountered:
Hey @david-yu, do you think this could be looked at? I am still using my consul template workaround and it's a little "yucky".
Edit: I have since moved to using the internal CA due to hashicorp/consul#8681. I understand that the Vault Agent injector is useful for Vault CA but this will not be usable when using the internal CA.
ndhanushkodi
pushed a commit
to ndhanushkodi/consul-k8s
that referenced
this issue
Jul 9, 2021
This commit exposes TLS configuration in the Helm chart and
makes the following changes:
* Optionally allows you to turn on TLS by setting global.tls.enabled
to true.
* Exposes the default HTTPS port 8501 on clients and servers
if TLS enabled.
* Optionally allows you to disable HTTP ports on clients and servers
by setting global.tls.httpsOnly to false.
* Adds TLS bootstrapping job that generates Consul cluster CA,
as well as server and client certificates signed by that CA.
* Exposes UI service on port 443 if TLS is enabled.
* Client certs are generated in an init container so that we can add
HOST_IP as a SAN to enable other clients, e.g. sync-catalog, to talk to it
* Update pod security policies to account for HTTPS ports exposed as
as hostPort if TLS is enabled
* Adds tls-init-cleanup job that deletes certs created by the tls-init
job when the Helm chart is deleted.
* Enables TLS for Consul Connect, Mesh gateways, Sync Catalog, ACL bootstrapping, and snapshot agent
* Support incremental rollout of TLS on an existing cluster
Other fixes:
* fix graceful termination for the servers (previously
terminationGracePeriod was set to 10sec, which wasn't enough times
or the servers to terminate).
Co-authored-by: Todd Radel <todd@radel.us>
My Consul cluster has Auto Encrypt turned on and is using the connect CA (Vault provider) for Consul agent certificates.
In order for other pods to talk to the local consul agent, I have to manually add an init container (like how the Consul Helm chart) does that calls
get-consul-client-ca
command to get the CA.This can be simplified by having a mutating admission webhook automatically inject that init container for any pods with a set of annotations.
If polling mode is added as per #310, then the injector can also inject a sidecar.
Another workaround is to use Consul Template to populate some
ConfigMap
s in multiple namespaces automatically but it's not as "clean" as having an injector. (cf. https://github.com/basisai/consul-autoencrypt-k8s)The text was updated successfully, but these errors were encountered: